High CPU util on 3825

What kind of config are you running? This utilization seems high, but need to know if its getting the full internet table, and are you running NAT, etc?

Yes,

There are plenty of NAT and access lists available.

Below is a stripped version of the configuration.

Thanks in advance.

conf. //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////

Building configuration...

Current configuration : 22455 bytes ! version 12.4 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname xxxxx ! boot-start-marker boot system flash c3825-advipservicesk9-mz.124-10b.bin boot-end-marker ! logging buffered 51200 warnings no logging console enable secret xxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authentication login sdm_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa authorization network sdm_vpn_group_ml_3 local ! aaa session-id common clock timezone GMT 2 no ip source-route ip cef ! ! ! ! ip domain name domain.com ip name-server 10.0.0.9 ip name-server 10.0.0.46 ip inspect max-incomplete high 1600 ip inspect max-incomplete low 1200 ip inspect one-minute high 2000000000 ip inspect one-minute low 1000000000 ip inspect name firewall cuseeme timeout 3600 ip inspect name firewall ftp timeout 3600 ip inspect name firewall rcmd timeout 3600 ip inspect name firewall realaudio timeout 3600 ip inspect name firewall tftp timeout 30 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 15 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! !

! ! crypto pki certificate chain TP-self-signed-4150674149 certificate self-signed 01 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 . . quit username zxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group our-vpn key xxxxxxx23 pool SDM_POOL_1 acl 100 netmask 255.255.255.248 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! crypto dynamic-map SDM_DYNMAP_2 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_3 crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_3 crypto map SDM_CMAP_2 client configuration address respond crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2 ! ! ! ! interface GigabitEthernet0/0 description FW_INSIDE ip address 192.168.240.1 255.255.255.248 ip access-group sdm_gigabitethernet0/0_in in ip nat inside ip inspect firewall in ip virtual-reassembly load-interval 30 duplex auto speed auto media-type rj45 no keepalive crypto map SDM_CMAP_2 ! interface GigabitEthernet0/1 description FW_DMZ ip address external-ip ip nat outside ip virtual-reassembly load-interval 30 duplex auto speed auto media-type rj45 no keepalive ! interface ATM1/0 bandwidth 34000 no ip address load-interval 30 atm ilmi-keepalive ! interface ATM1/0.32 point-to-point description FW_OUTSIDE ip address external-router-ip ip access-group sdm_ATM1/0_32_in in ip nat outside ip inspect firewall in ip virtual-reassembly max-reassemblies 1024 no snmp trap link-status crypto map SDM_CMAP_1 pvc ttnet 0/32 oam-pvc manage encapsulation aal5snap ! ! ip local pool SDM_POOL_1 192.168.240.5 192.168.240.6 ip route 0.0.0.0 0.0.0.0 real-ip ip route 10.0.0.0 255.0.0.0 192.168.240.2 ip route 172.16.0.0 255.255.0.0 192.168.240.2 ip route 192.168.0.0 255.255.0.0 192.168.240.2 ! ! no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat log translations syslog ip nat translation max-entries all-host 100

///////

30 lines of ip nat pool, one for each subnet ///////

///////

30 lines of ip nat translations, one for each subnet ///////

///////

50 lines of ip nat translations to real IP's ///////

!

///////

30 access lists, one per subnet ///////

/////// aprx 60-70 permit-denys ///////

! logging trap debugging logging facility local6 logging source-interface GigabitEthernet0/0 logging 10.0.0.66 access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 192.168.240.0 0.0.0.7 any access-list 100 permit ip 10.0.0.0 0.0.0.255 any snmp-server community xxxxxx RO snmp-server packetsize 2048 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! banner login ^C

----------------------------------------------------------------------- Backbone Router

-----------------------------------------------------------------------

^C ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class management in transport input ssh line vty 5 15 access-class management in transport input ssh ! scheduler allocate 20000 1000 ntp clock-period 17179448 ntp server real-ip ! end

//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////

Regards.

On Mon, 26 Nov 2007 07:23:05 -0800 (PST), Trendkill wrote:

When you do show proc cpu (without history), what are your high utilization processes?

Below is the result of "sh proc cpu" which I obtained. The current cpu util is not very high at the moment though.

////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////

CPU utilization for five seconds: 72%/42%; one minute: 71%; five minutes: 71% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk Manager 2 185616 508801 364 0.00% 0.01% 0.00% 0 Load Meter 3 0 1 0 0.00% 0.00% 0.00% 0 chkpt message ha 4 4 1 4000 0.00% 0.00% 0.00% 0 EDDRI_MAIN 5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check heaps 6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool Manager 7 0 2 0 0.00% 0.00% 0.00% 0 Timers 8 296 42399 6 0.00% 0.00% 0.00% 0 IPC Dynamic Cach 9 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager 10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC Periodic Tim 11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC Deferred Por 12 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager 13 0 1 0 0.00% 0.00% 0.00% 0 IPC BackPressure 14 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler 15 0 1 0 0.00% 0.00% 0.00% 0 Crash writer 16 139900 508563 275 0.00% 0.00% 0.00% 0 Environmental mo 17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP Input 18 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer 19 4 72 55 0.00% 0.00% 0.00% 0 AAA high-capacit 20 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT 21 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager 22 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers 23 0 2 0 0.00% 0.00% 0.00% 0 Entity MIB API 24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED Syslog 25 22488 508585 44 0.00% 0.00% 0.00% 0 HC Counter Timer 26 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun 27 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers 28 0 2 0 0.00% 0.00% 0.00% 0 SMART 29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt 30 0 2 0 0.00% 0.00% 0.00% 0 Dialer event 31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect 32 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client 33 0 2 0 0.00% 0.00% 0.00% 0 cpf_process_msg_ 34 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest 35 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd 36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net Background 37 0 2 0 0.00% 0.00% 0.00% 0 IDB Work 38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger 39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY Background 40 241316 2544091 94 0.00% 0.01% 0.00% 0 Per-Second Jobs 41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA Mgr 42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC HA Mgr 43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task 44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute load avg 46 845372 43011 19654 0.00% 0.03% 0.00% 0 Per-minute Jobs 47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr Process 48 0 1 0 0.00% 0.00% 0.00% 0 Token Daemon 49 0 1 0 0.00% 0.00% 0.00% 0 dev_device_inser 50 0 1 0 0.00% 0.00% 0.00% 0 dev_device_remov 51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100 52 0 1 0 0.00% 0.00% 0.00% 0 sal_dpc_process 53 0 1 0 0.00% 0.00% 0.00% 0 ARL Table Manage 54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM 55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp Storm Con 56 0 2 0 0.00% 0.00% 0.00% 0 ESWILPPM 57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp Storm Con 58 118640 10174788 11 0.00% 0.00% 0.00% 0 Netclock Backgro 59 0 2 0 0.00% 0.00% 0.00% 0 SM Monitor 60 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM MAIN 61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM DSP READ 62 0 2 0 0.00% 0.00% 0.00% 0 FLEX DNLD MAIN 63 0 1 0 0.00% 0.00% 0.00% 0 HDV background 64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO IKMP IPC 65 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_DELA 66 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_SCTP 67 13120 2538695 5 0.00% 0.00% 0.00% 0 Ether-Switch RBC 68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS TIMER_CU 69 0 1 0 0.00% 0.00% 0.00% 0 IGMP Snooping Pr 70 0 1 0 0.00% 0.00% 0.00% 0 IGMP Snooping Re 71 488 84796 5 0.00% 0.00% 0.00% 0 Call Management 72 0 1 0 0.00% 0.00% 0.00% 0 CES Line Conditi 73 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_SCTP 74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM Periodic 75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP INPUT 76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM Input 77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM TIMER 78 0 2 0 0.00% 0.00% 0.00% 0 Dot11 auth Dot1x 79 0 1 0 0.00% 0.00% 0.00% 0 Dot11 Mac Auth 80 0 2 0 0.00% 0.00% 0.00% 0 dot1x 81 0 2 0 0.00% 0.00% 0.00% 0 DTP Protocol 82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM Aging Pr 83 1452 254347 5 0.00% 0.00% 0.00% 0 EtherChnl 84 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R 85 8 134 59 0.00% 0.00% 0.00% 0 AAA Server 86 0 1 0 0.00% 0.00% 0.00% 0 AAA ACCT Proc 87 0 1 0 0.00% 0.00% 0.00% 0 ACCT Periodic Pr 88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP Protocol 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP Input 90 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 91 0 74 0 0.00% 0.00% 0.00% 0 TurboACL 92 0 2 0 0.00% 0.00% 0.00% 0 TurboACL chunk 93 156 4237 36 0.00% 0.00% 0.00% 0 MOP Protocols 94 0 3 0 0.00% 0.00% 0.00% 0 PPP Hooks 95 212 81 2617 0.00% 0.13% 0.03% 322 SSH Process 96 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager 97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS Test Client 98 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Mana 99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS Feature Time 100 0 1 0 0.00% 0.00% 0.00% 0 VPDN call manage 101 0 1 0 0.00% 0.00% 0.00% 0 L2X Socket proce 102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS manager 103 0 2 0 0.00% 0.00% 0.00% 0 L2TP mgmt daemon 104 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana 105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP Process 106 0 2 0 0.00% 0.00% 0.00% 0 IP Host Track Pr 107 0 1 0 0.00% 0.00% 0.00% 0 IPv6 RIB Redistr 108 0 2 0 0.00% 0.00% 0.00% 0 KRB5 AAA 109 0 1 0 0.00% 0.00% 0.00% 0 IP Traceroute 110 15024 84724 177 0.00% 0.00% 0.00% 0 IP Background 111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB Update 112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP Route 113 0 2 0 0.00% 0.00% 0.00% 0 PPP IPCP 114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF process 115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket Timers 116 236 6474 36 0.00% 0.00% 0.00% 0 TCP Timer 117 56 55 1018 0.00% 0.00% 0.00% 0 TCP Protocols 118 0 1 0 0.00% 0.00% 0.00% 0 COPS 119 4 2 2000 0.00% 0.00% 0.00% 0 L2MM 120 0 1 0 0.00% 0.00% 0.00% 0 MRD 121 0 1 0 0.00% 0.00% 0.00% 0 IGMPSN 122 0 2 0 0.00% 0.00% 0.00% 0 RLM groups Proce 123 0 2 0 0.00% 0.00% 0.00% 0 DDP 124 0 2 0 0.00% 0.00% 0.00% 0 SNMP Timers 125 0 2 0 0.00% 0.00% 0.00% 0 ILMI Input 126 0 2 0 0.00% 0.00% 0.00% 0 ILMI Request 127 0 2 0 0.00% 0.00% 0.00% 0 ILMI Response 128 80744 1270679 63 0.00% 0.00% 0.00% 0 ILMI Timer Proce 129 4 2 2000 0.00% 0.00% 0.00% 0 ATM PVC Discover 130 0 2 0 0.00% 0.00% 0.00% 0 SSCOP Input 131 0 2 0 0.00% 0.00% 0.00% 0 SSCOP Output 132 420 42411 9 0.00% 0.00% 0.00% 0 SSCOP Timer 133 0 2 0 0.00% 0.00% 0.00% 0 ATMSIG ILMI Time 134 0 2 0 0.00% 0.00% 0.00% 0 ATMSIG DRIVERAPI 135 25972 2538690 10 0.00% 0.00% 0.00% 0 ATMSIG Timer 136 0 2 0 0.00% 0.00% 0.00% 0 ATMSIG Input PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 137 0 2 0 0.00% 0.00% 0.00% 0 ATMSIG Client 138 0 2 0 0.00% 0.00% 0.00% 0 SCTP Main Proces 139 0 1 0 0.00% 0.00% 0.00% 0 IUA Main Process 140 32128 2538704 12 0.00% 0.00% 0.00% 0 RUDPV1 Main Proc 141 0 1 0 0.00% 0.00% 0.00% 0 bsm_timers 142 12584 2538698 4 0.00% 0.00% 0.00% 0 bsm_xmt_proc 143 0 1 0 0.00% 0.00% 0.00% 0 CES Client SVC R 144 363792 5070201 71 0.00% 0.02% 0.00% 0 DHCPD Receive 145 0 2 0 0.00% 0.00% 0.00% 0 Dialer Forwarder 146 185500 42391 4375 0.00% 0.00% 0.00% 0 IP Cache Ager 147 7544 42402 177 0.00% 0.00% 0.00% 0 Adj Manager 148 88 8482 10 0.00% 0.00% 0.00% 0 HTTP CORE 149 0 1 0 0.00% 0.00% 0.00% 0 RARP Input 150 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall 151 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background 152 0 2 0 0.00% 0.00% 0.00% 0 PPP Bind 153 0 2 0 0.00% 0.00% 0.00% 0 PPP SSS 154 354256 24969901 14 0.00% 0.02% 0.02% 0 RBSCP Background 155 60466848 169323130 357 5.48% 5.91% 5.57% 0 Inspect Timer 156 428 21200 20 0.00% 0.00% 0.00% 0 DHCPD Timer 157 112 8480 13 0.00% 0.00% 0.00% 0 Authentication P 158 0 1 0 0.00% 0.00% 0.00% 0 Auth-proxy AAA B 159 0 1 0 0.00% 0.00% 0.00% 0 CHKPT EXAMPLE 160 0 1 0 0.00% 0.00% 0.00% 0 CHKPT DevTest 161 0 1 0 0.00% 0.00% 0.00% 0 IPS Timer 162 4 2 2000 0.00% 0.00% 0.00% 0 SDEE Management 163 0 1 0 0.00% 0.00% 0.00% 0 IPv6 Inspect Tim 164 0 2 0 0.00% 0.00% 0.00% 0 URL filter proc 165 0 3 0 0.00% 0.00% 0.00% 0 Crypto HW Proc 166 100 2 50000 0.00% 0.00% 0.00% 0 CCVPM_HDSPRM 167 15568 940826 16 0.00% 0.00% 0.00% 0 FLEX DSPRM MAIN 168 5676 940824 6 0.00% 0.00% 0.00% 0 FLEX DSP KEEPALI 169 1276 101762 12 0.00% 0.00% 0.00% 0 CRM_CALL_UPDATE_ 170 0 4 0 0.00% 0.00% 0.00% 0 HDA DSPRM MAIN 171 0 2 0 0.00% 0.00% 0.00% 0 ENABLE AAA 172 0 1 0 0.00% 0.00% 0.00% 0 EM Background Pr 173 0 1 0 0.00% 0.00% 0.00% 0 Key chain liveke 174 0 2 0 0.00% 0.00% 0.00% 0 LINE AAA 175 340 2843 119 0.00% 0.00% 0.00% 0 LOCAL AAA 176 0 2 0 0.00% 0.00% 0.00% 0 TPLUS 177 0 2 0 0.00% 0.00% 0.00% 0 VSP_MGR 178 0 1 0 0.00% 0.00% 0.00% 0 encrypt proc 179 0 3 0 0.00% 0.00% 0.00% 0 Crypto WUI 180 124 842 147 0.00% 0.00% 0.00% 0 Crypto Support 181 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP 182 0 2 0 0.00% 0.00% 0.00% 0 VPM_MWI_BACKGROU PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 183 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2 184 32 2827 11 0.00% 0.00% 0.00% 0 FB/KS Log HouseK 185 4 2 2000 0.00% 0.00% 0.00% 0 EPHONE MWI BG Pr 186 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE 187 0 1 0 0.00% 0.00% 0.00% 0 cpf_process_tpQ 188 0 1 0 0.00% 0.00% 0.00% 0 http client proc 190 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN 191 0 1 0 0.00% 0.00% 0.00% 0 RPMS_PROC_MAIN 192 0 1 0 0.00% 0.00% 0.00% 0 VoIP AAA 193 0 7 0 0.00% 0.00% 0.00% 0 crypto engine pr 194 228 4 57000 0.00% 0.00% 0.00% 0 Crypto CA 195 0 1 0 0.00% 0.00% 0.00% 0 Crypto PKI-CRL 196 0 1 0 0.00% 0.00% 0.00% 0 Crypto SSL 197 4 134 29 0.00% 0.00% 0.00% 0 Crypto ACL 198 0 2 0 0.00% 0.00% 0.00% 0 CRYPTO QoS proce 199 0 1 0 0.00% 0.00% 0.00% 0 Crypto INT 200 848 1788 474 0.00% 0.00% 0.00% 0 Crypto IKMP 201 1560 127258 12 0.00% 0.00% 0.00% 0 IPSEC key engine 202 0 1 0 0.00% 0.00% 0.00% 0 IPSEC manual key 203 0 1 0 0.00% 0.00% 0.00% 0 Crypto PAS Proc 204 0 17 0 0.00% 0.00% 0.00% 0 Crypto Delete Ma 205 0 2 0 0.00% 0.00% 0.00% 0 Key Proc 206 20896 2544003 8 0.00% 0.00% 0.00% 0 Crypto Device Up 207 0 2 0 0.00% 0.00% 0.00% 0 Multi-ISA Event 208 0 1 0 0.00% 0.00% 0.00% 0 Multi-ISA Cleanu 209 0 1 0 0.00% 0.00% 0.00% 0 PM Callback 210 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr 211 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector 212 12 184 65 0.00% 0.00% 0.00% 0 AAA SEND STOP EV 213 0 3 0 0.00% 0.00% 0.00% 0 EEM ED CLI 214 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Counter 215 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Interface 216 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD 217 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Memory-th 218 0 2 0 0.00% 0.00% 0.00% 0 EEM ED None 219 0 2 0 0.00% 0.00% 0.00% 0 EM ED OIR 220 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP 221 576 42490 13 0.00% 0.00% 0.00% 0 EEM ED Timer 222 7748 518080 14 0.00% 0.00% 0.00% 0 EEM Server 223 1464 254348 5 0.00% 0.00% 0.00% 0 RMON Recycle Pro 224 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se 225 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps 226 22564 2530439 8 0.00% 0.00% 0.00% 0 trunk conditioni 227 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni 228 4 2 2000 0.00% 0.00% 0.00% 0 VLAN Manager 229 228 42404 5 0.00% 0.00% 0.00% 0 DHCPD Database PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 230 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc 231 77020984 29811994 2583 2.61% 2.44% 2.43% 0 Syslog 232 0 1 0 0.00% 0.00% 0.00% 0 VPDN Scal 233 2384 88218 27 0.00% 0.00% 0.00% 0 CEF Scanner 234 0 1 0 0.00% 0.00% 0.00% 0 tHUB 235 0 2 0 0.00% 0.00% 0.00% 0 tENM 236 180 1415 127 0.00% 0.00% 0.00% 0 SSH Event handle 238 13749824 5126990 2681 0.65% 0.68% 0.67% 0 IP NAT Ager 239 0 1 0 0.00% 0.00% 0.00% 0 IP NAT WLAN 240 2252 98964 22 0.00% 0.00% 0.00% 0 IP VFR proc 241 33192 103549 320 0.00% 0.00% 0.00% 0 IP SNMP 242 7648 51892 147 0.00% 0.00% 0.00% 0 PDU DISPATCHER 243 42664 51899 822 0.00% 0.00% 0.00% 0 SNMP ENGINE 244 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro 245 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps 246 4453240 79637964 55 0.16% 0.14% 0.16% 0 NAT MIB Helper 247 47720 2544023 18 0.00% 0.00% 0.00% 0 NTP 248 473956 2065 229518 0.00% 0.00% 0.00% 0 crypto sw pk pro

////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////

On Mon, 26 Nov 2007 11:51:55 -0800 (PST), Trendkill wrote:

Do it when its high, and focus on the heavy hitters. If its NAT and other processor intensive processes, plus the full bgp routing table (although I only see a default route so this may be a moot point), then you may have just exhausted the processor on this smaller router. A 3800 should handle the internet portion with no problem, but never used them for NAT, etc. The show proc cpu should help determine the issue. If this is the case, I would look for any potential config issues (which guys/gals on here should be able to help point out), and if there are none, then you may just need more horsepower. Hope this helps.

Your problem in a nutshell is that you are running IOS Firewall, NAT and a high speed ATM interface on a low-end router. If your interface wasn't ATM, you would probably be OK, but ATM in this case is killing the router. The problem is that ATM uses cells and the IP packets need to reassembled into packets before they can be inspected and NAT performed. If this were a packet interface, most of this processing would happen in hardware and you be much better off. You didn't supply a "show ver" or a "show interface" but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are pretty high. If you add up all the numbers you only get to about 27% so the rest of the CPU is being eaten up by hardware interrupt processing. Because the input interface is ATM, NAT and the packet inspection are being performed in software. Another good command is "show ip interface" which would show how many packets are being CEF switched, which in this case I would bet is pretty low. I would think that an ATM AIM card would help you out quite a bit here, since this module will offload the ATM processing.

How about moving the ACL, NAT, firewall operations out of the 3825 to a new appliance ?

If this is a better solution then ;

- which box would you suggest ?

- would it be worth investing on a more clever appliance that would also help on IPS, antivirus, URL-filtering etc ?

- if yes, then which box would you suggest ?

Regards.

Yes, it makes better sense to move these functions to a firewall. The firewall in IOS is not as robust, or flexible as a firewall device. If your perfectly happy with firewall functionality in IOS, then the AIM-ATM should fix the CPU issues you have, because the cell assembly/disassembly is done in hardware on the AIM. Another approach is to use a 7200VXR series, or a

7300 series router and on those devices the ATM interfaces also do cell assembly/disassembly in hardware.

Most of the load comes from the interrupts on the interfaces (42%), and the rest from traffic that can't be CEF-switched (IP Input shows

20% load) and firewall inspect timer (5,5%).

Try to see what's causing so high rate of not-cef-switched traffic with:

rtr# sh cef not-cef-switched

And you'll see something like this:

CEF Packets passed on to next switching layer Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag RP 61336 0 0 12 11215087 0 0 0

Basically I'd target firewall (ip inspect) - for this you can check in the stats:

rtr#sh ip inspect statistics Packet inspection statistics [process switch:fast switch] tcp packets: [369836:123660915] udp packets: [64052:6836373] packets: [235:204] ftp packets: [4339:0]

If process switch part is high - then you should move firewall/nat to other box and treat 3800 as router doing ATM termination.